Class RdqlDbEngine uses an eval statement during filtering that allows malicious php code to be run as the PHP user. Line 318. Examples are trivial, and are not posted here. Filters should be rewritten to use MySQL or other DB equivalents.
